Testing adversarial robustness of systems with limited access

ABSTRACT

An adversarial robustness testing method, system, and computer program product include testing a robustness of a black-box system under different access settings via an accelerator.

BACKGROUND

The present invention relates generally to an adversarial robustnesstesting method, and more particularly, but not by way of limitation, toa system, method, and computer program product for an accelerationmodule (i.e., an accelerator) that reliably speeds up robustness testingof black-box artificial intelligence (AI) and machine-learning (ML)models under different access settings.

Black-box attacks on machine learning (ML) systems is the study ofadversarial examples and algorithms that generate them and include howto analyze how state-of-the-art ML systems behave in extreme situations(e.g., when an authentic image is intentionally corrupted byimperceptible noises to deceive a well-trained image classifier intomisclassification). This is currently one of the most prominent topicsin AI and could potentially help to shape a future of advanced AIplatforms that not only perform well in average cases, but also in worstcases or adverse situations.

In recent years, deep neural networks (DNNs) have achieved significantbreakthroughs in many machine learning tasks such as natural languageprocessing (NLP), computer vision, speech processing, etc. However,despite success, there have been many recent studies showing that eventhe state-of-the-art DNNs are still vulnerable to adversarialmisclassification attacks. This raises security concerns about arobustness of DNNs in extreme situations, which are very important inmany application domains that require high reliability and dependabilitysuch as face recognition, autonomous driving vehicles, and malwaredetection. Investigating adversarial examples and potential attacks thatgenerate them has become an increasingly prevailing topic in AI securityand safety, which aims to analyze how modern ML systems (such as DNNs)could be broken in extreme situations. Such an analysis would shed lighton potential defensive measures to be incorporated, which essentiallylay the groundwork to building a new generation of highly robust andreliable ML models that will be the core engine of future AI technology.

However, most of the preliminary studies on this topic are stillrestricted to a white-box setting where the adversary has completeaccess and knowledge of a target system (e.g., DNNs) and the operatingmechanism. For instance, assuming knowledge of a DNN model's internalstructure and parameters, the adversary can compute a gradient of anoutput with respect to an input to identify an effect of perturbing thevalues of certain input components on a predicted output. Consequently,this can be used to construct an adversarial example that would likelybe misclassified by the target model. Despite the theoretical interest,such approaches often have very limited use in practical black-boxsystems where internal states/configurations and operating mechanism ofpublic ML systems are not revealed to the practitioners and the onlymode of interaction with the system is via submitting inputs andreceiving the corresponding predicted outputs.

One conventional approach to exploring black-box attacks is to usegradient estimation via zeroth-order optimization (‘ZOO’). Thisconventional approach makes queries to a model and estimates the outputgradients with respect to the corresponding inputs. Then, the approachapplies a ‘Carlini and Wagner (C&W) attack method’ to generateadversarial examples. However, this conventional technique is verycomputationally intensive because it requires a large number of queriesper iteration to generate an accurate gradient estimation.

Alternatively, a different conventional technique is aimed to estimatean output gradient via a greedy local search. At each iteration, theconventional technique perturbs only a subset of the input component.This local search technique is very computationally efficient, but thetechnique does not explicitly minimize the distortion between theoriginal input and its perturbed version. Also, the crafted noises oftenappear more visible. Moreover, the technique has not been tested ondata-intensive domains such as ImageNet.

Another conventional technique investigates more realistic threat modelsby defining the query-limited setting, the partial information setting,and the label-only setting. Three attacks methods are proposed based onthe Natural Evolutionary Strategies and Monte Carlo approximation. But,this technique only places limits on the L_(∞) norm instead ofminimizing a certain L_(p) norm.

SUMMARY

Thus, the inventors have identified a need in the art for an adversarialattack in the application of image (i.e., an input) classification withdeep neural networks (DNNs).

In an exemplary embodiment, the present invention provides acomputer-implemented adversarial robustness testing method for checkinga learning performance of a black-box system, the method includingtesting a robustness of a black-box system under different accesssettings via an accelerator.

One or more other exemplary embodiments include a computer programproduct and a system, based on the method described above.

Other details and embodiments of the invention will be described below,so that the present contribution to the art can be better appreciated.Nonetheless, the invention is not limited in its application to suchdetails, phraseology, terminology, illustrations and/or arrangements setforth in the description or shown in the drawings. Rather, the inventionis capable of embodiments in addition to those described and of beingpracticed and carried out in various ways and should not be regarded aslimiting.

As such, those skilled in the art will appreciate that the conceptionupon which this disclosure is based may readily be utilized as a basisfor the designing of other structures, methods and systems for carryingout the several purposes of the present invention. It is important,therefore, that the claims be regarded as including such equivalentconstructions insofar as they do not depart from the spirit and scope ofthe present invention.

BRIEF DESCRIPTION OF THE DRAWINGS

Aspects of the invention will be better understood from the followingdetailed description of the exemplary embodiments of the invention withreference to the drawings, in which:

FIG. 1 exemplarily shows a high-level flow chart for an adversarialrobustness testing method 100 according to an embodiment of the presentinvention;

FIG. 2 exemplarily depicts a framework for testing a robustness of ablack-box system according to an embodiment of the present invention;

FIG. 3 exemplarily depicts an experimental result as compared toconventional techniques;

FIG. 4 exemplarily depicts an adversarial example evolution for MNISTstarting from an image in a target class when a Query=0 according to anembodiment of the present invention;

FIG. 5 exemplarily depicts an adversarial example evolution for CIFAR-10starting from the image in the target class when a Query=0 according toan embodiment of the present invention;

FIGS. 6-8 exemplarily depict experimental results as compared toconventional techniques;

FIG. 9 exemplarily depict adversarial examples on ImageNet generated bythe method 100 according to an embodiment of the present invention;

FIG. 10 exemplarily depicts an experimental result as compared toconventional techniques;

FIG. 11 depicts a cloud-computing node 10 according to an embodiment ofthe present invention;

FIG. 12 depicts a cloud-computing environment 50 according to anembodiment of the present invention; and

FIG. 13 depicts abstraction model layers according to an embodiment ofthe present invention.

DETAILED DESCRIPTION

The invention will now be described with reference to FIGS. 1-13, inwhich like reference numerals refer to like parts throughout. It isemphasized that, according to common practice, the various features ofthe drawings are not necessarily to scale. On the contrary, thedimensions of the various features can be arbitrarily expanded orreduced for clarity.

By way of introduction of the example depicted in FIG. 1, an embodimentof an adversarial robustness testing method 100 according to the presentinvention can include various steps for an adversarial robustnesstesting system for checking a learning performance of black-boxartificial intelligence (AI) and machine-learning (ML) systems. Theinvention is distinct from robustness testing of software/module bugsand inherent security vulnerability because this invention is used togenerate adversarial inputs (data input manipulation). Robustnessevaluation is neither bug nor security testing—it associates with themodel's confidence in prediction given an input.

By way of introduction of the example depicted in FIG. 11, one or morecomputers of a computer system 12 according to an embodiment of thepresent invention can include a memory 28 having instructions stored ina storage system to perform the steps of FIG. 1.

Although one or more embodiments may be implemented in a cloudenvironment 50 (e.g., FIG. 13), it is nonetheless understood that thepresent invention can be implemented outside of the cloud environment.

With reference to FIG. 1, in step 101, a robustness of a black-boxsystem is tested under different access settings via an accelerator. Theaccelerator has the following functions of ‘efficient gradientestimation via random directional estimates and averaging’ (i.e,g{circumflex over ( )}(x)=b/q Σ2_(i=1){circumflex over( )}q(ƒ(x+εu_i)−ƒ(x))/εu_i, u_i˜unit-norm sphere; zeroth-orderstochastic variance reduction for nonconvex optimization), ‘dimensionreduction’ (i.e., reducing the attack space for query efficiency (e.g.,image resizing, data-driven decoder: x_adv=x_orig+D(δ_low) D:

{circumflex over ( )}(d_low→

{circumflex over ( )}(d_orig), a decoder such as AutoZOOM:Autoencoder-based zeroth order optimization method for attackingblack-box neural networks)), and problem splitting that can tear downthe robustness testing optimization process (i.e., attack objectiveunder a threat model) to small and efficient-to-solve subtasks by

Minimize

_x ƒ(x)+h(x)≡

Minimize

_(x,z) ƒ(x)+h(z) s.t. x=z using a general black-box adversarial attackframework via zeroth-order ADMM).

A black-box system is one that only allows access to system inputs andoutputs, but not model internals or details.

A white-box system is a model that details such as architecture andweights for inference are completely known to an adversary.

The different access settings include a ‘soft-label setting’ and a‘hard-label setting’. A soft-label setting may be system outputsprediction scores of each class, whereas a hard-label setting may besystem only outputs top-1 prediction label (no scores, neither otherclasses).

In other words, the invention receives a first classification of aninput as an output from the black-box system and determines a minimalchange to the input such that a second classification (i.e., differentfrom the first classification) is received as the output from theblack-box system. Indeed, the invention finds a minimal change to aninput such that a classification of an output from the black-box systemis different than an original classification of the input.

In step 102, given a legitimate input of a plurality of legitimateinputs having a correct class label, an optimal adversarial perturbationis determined using the accelerator such that a perturbed example ismisclassified to a target class including an incorrect class label bythe deep neural network (DNN) model trained on the legitimate inputs.

In step 103, for a soft-label setting (i.e., outputs prediction scoresof all classes) as the different access settings, the accelerator and agradient descent technique is used to find adversarial examples andsummarize robustness statistics.

In step 104, for a hard-label setting (i.e., only outputs the mostprobable (top-1) class label) as the different access settings, asmoothing function is used to summarize the robustness statistics.

With reference to FIG. 2, there are no limitations on the input datasetfor robustness testing. The invention can support any data format thatis a valid input to the AI/ML system. That is, the robustness objectiveis user-specified or uses system defined “threat models” for adversarialexamples (E.g., |x_adv-x_orig|_p≤s). Examples of inputs into theinvention include images, text (or embeddings), audio waveforms, tabledata, etc.

With reference generally to FIGS. 1-10, the invention operates withadversarial attacks in the application of an input (i.e., image or thelike) classification with deep neural networks (DNNs). To do so, ageneral problem formulation for adversarial attack is presented which isamenable to either white-box or black-box settings. Then, an efficientsolution is developed to the black-box setting where the adversary onlyhas access to certain types of outputs of the DNN model (i.e., internalstructures and configurations are unknown to the adversary). Inparticular, given a legitimate image x₀ ∈

^(d) with a correct class label to, the invention aims to design anoptimal adversarial perturbation δ∈

^(d) so that the perturbed example (x₀+δ) is misclassified to targetclass t≠t0 by the DNN model trained on legitimate images. Awell-designed perturbation δ can be obtained by solving the followingproblem of equation (1):

$\begin{matrix}{{{\underset{\delta}{minimize}\mspace{14mu} {f\left( {{x_{0} + \delta},t} \right)}} + {\gamma \; {D(\delta)}}}{{{{subject}\mspace{14mu} {to}\mspace{14mu} \left( {x_{0} + \delta} \right)} \in \left\lbrack {0,1} \right\rbrack^{d}},{{\delta }_{\infty} \leq \epsilon},}} & (1)\end{matrix}$

where ƒ(x,t) denotes the loss incurred by misclassifying (x₀+δ) totarget class t and D(δ) is a distortion function that controlsperceptual similarity between a legitimate image and an adversarialexample (i.e., D(δ)≡⁻∥δ∥₂ ²,∥·∥_(∞) signifies the L_(∞) norm.

In equation (1), the ‘hard’ constraints (i.e., hard-label settings)ensure that the perturbed noise δ at each pixel is imperceptible up to apredefined E-tolerant threshold and the non-negative regularizationparameter γ places emphasis on the distortion between an adversarialexample and a legitimate image. Furthermore, in the above equation (1),D⁻(δ)=∥δ∥₂ ² ⁻ ; which is motivated by the superior performance of theC&W L₂ adversarial attack.

It is noted that a choice of a loss function ƒ(x,t) can be varied in theinvention. That is, without loss of generality, the invention focuses ontargeted attack with a designated target class t (i.e., a secondclassification) to mislead the DNN (i.e., from the first classificationof the original input) since the untargeted attack version can beimplemented based on that of the targeted attack. It is emphasized thatin the black-box setting, the gradients of ƒ(x,t) cannot be obtaineddirectly as it does in the white-box setting. The form of the lossfunction ƒ(x,t) depends on the constrained information in differentblack-box feedback settings. In particular, the definition ofscore-based approach and a decision-based attacks as well as their lossfunctions are discussed as follows.

In the score-based attack setting, the adversaries are able to makequeries to the DNN to obtain the soft labels (i.e., scores orprobabilities of an image belonging to different classes), whileinformation on gradients are not available. The loss function ofequation (1) in the score-based attack is equation (2):

$\begin{matrix}{{{f\left( {{x_{0} + \delta},t} \right)} = {\max \left\{ {\max\limits_{j \neq t}\left\{ {{{\log \; {P\left( {x_{0} + \delta} \right)}_{j}} - {\log \; {P\left( {x_{0} + \delta} \right)}_{t}}},{- \kappa}} \right\}} \right\}}},} & (2)\end{matrix}$

Equation (2) yields the good performance among existing white-boxattacks. P(x)_(j) denotes the target model's prediction score orprobability of the j-th class, and K is a confidence parameter, which isusually set to zero. Basically, this implies ƒ(x₀+δ, t)=0 if P(x₀+δ)_(t) is the largest among all classes, which means theperturbation δ has successfully made the target model misclassified x₀+δto target class t. Otherwise, it will be larger than zero. It is notedthat in equation (2) the log probability log P (x) is used instead ofdirectly using the actual probability P(x) because the outputprobability distribution tends to have the probability of one particularclass dominating the others, which makes the query on theprobability/score less effective. This explains why the log operator isused to reduce the effect of the dominating class while still preservingthe probability order for all classes.

For untargeted adversarial attack, the classification of the adversarialexample x₀+δ should be different from its correct class to. The lossfunction takes the following form of equation (3):

$\begin{matrix}{{f\left( {x_{0} + \delta} \right)} = {\max {\left\{ {{{\log \; {P\left( {x_{0} + \delta} \right)}_{t_{0}}} - {\max\limits_{j \neq t_{0}}\left\{ {\log \; {P\left( {x_{0} + \delta} \right)}_{j}} \right\}}},{- \kappa}} \right\}.}}} & (3)\end{matrix}$

Basically, equation (3) achieves its minimum value when P (x₀+δ)_(t0) isnot the largest among all classes, which implies a successful untargetedattack.

Different from the score-based attack, the decision-based attack is morechallenging in that the adversaries can only make queries to get thehard-labels instead of the soft-labels P(x)_(j). Let H(x)_(i) denote thehard-label decision of the input image x for class i. H(x)_(i)=1 if thedecision for x is label i, and 0 otherwise. Also, i=1 H(x)_(i)=1 for allK classes. Then the loss function of equation (1) in the decision-basedattack is specified as equation (4) as follows:

$\begin{matrix}{{{f\left( {{x_{0} + \delta},t} \right)} = {{\max\limits_{j \neq t}{H\left( {x_{0} + \delta} \right)}_{j}} - {H\left( {x_{0} + \delta} \right)}_{t}}},} & (4)\end{matrix}$

Therefore, ƒ(x₀+δ, t)∈{−1, 1}, and the attacker succeeds if ƒ(x₀+δ,t)=−1. The loss function of equation (4) is non-smooth with discreteoutputs. The decision-based attack is therefore more challenging becauseexisting combinatorial optimization methods are almost ineffective orinapplicable considering the high dimensionality of the problem.

Thereby, the invention builds on the above identified problem forequations (1)-(4) to identify a minimal change of an input to not havethe same classification by a DNN. The invention includes a generalblack-box adversarial attack framework for both the score-based anddecision-based attacks by leveraging an inventive technique (i.e.,‘ZO-ADMM’). The invention, via the below, yields benefits such as anefficient splitting between the black-box loss function and thewhite-box adversarial distortion function and a generalization tovarious L_(p) norm involved hard/soft constraints. By introducing anauxiliary variable z, equation (1) can be rewritten in the favor ofADMM-type methods as equations (5)-(8) as follows:

$\begin{matrix}{\mspace{79mu} {{{\underset{\delta,z}{minimize}{f\left( {{x_{0} + \delta},t} \right)}} + {{\gamma (D)}z} + {\mathcal{I}(z)}}\mspace{79mu} {{{{subject}\mspace{14mu} {to}\mspace{14mu} z} = \delta},}}} & (5) \\{\mspace{79mu} {{where}\mspace{14mu} {\mathcal{I}(z)}\mspace{14mu} {is}\mspace{14mu} {the}\mspace{14mu} {indicator}\mspace{14mu} {function}\mspace{14mu} {given}\mspace{14mu} {by}}} & \; \\{\mspace{79mu} {{\mathcal{I}(z)} = \left\{ \begin{matrix}0 & {{\left( {x_{0} + z} \right) \in \left\lbrack {0,1} \right\rbrack^{d}},{{z}_{\infty} \leq \epsilon},} \\\infty & {{otherwise}.}\end{matrix} \right.}} & (6) \\{\mspace{79mu} {{{The}\mspace{14mu} {augmented}\mspace{14mu} {Lagrangian}\mspace{14mu} {of}\mspace{14mu} {the}\mspace{14mu} {reformulated}}\mspace{79mu} {{problem}\mspace{14mu} (5)\mspace{14mu} {is}\mspace{14mu} {given}\mspace{14mu} {by}}}} & \; \\{\mspace{79mu} {{{\mathcal{L}\left( {z,\delta,u} \right)} = {{\gamma \; {D(z)}} + {\mathcal{I}(z)} + {f\left( {{x_{0} + \delta},t} \right)} + {u^{T}\left( {z - \delta} \right)} + {\frac{\rho}{2}{{z - \delta}}_{2}^{2}}}},}} & (7) \\{{{{where}\mspace{14mu} u\mspace{14mu} {is}\mspace{14mu} {Lagrangian}\mspace{14mu} {multiplier}},{{{and}\mspace{14mu} \rho} > {0\mspace{14mu} {is}\mspace{14mu} a\mspace{14mu} {given}}}}{{{penalty}\mspace{14mu} {{parameter}.\mspace{14mu} {It}}\mspace{14mu} {can}\mspace{14mu} {be}\mspace{14mu} {further}\mspace{14mu} {transformed}\mspace{14mu} {as}\mspace{14mu} {below}},}} & \; \\{{\mathcal{L}\left( {z,\delta,u} \right)} = {{\gamma \; {D(z)}} + {\mathcal{I}(z)} + {f\left( {{x_{0} + \delta},t} \right)} + {\frac{\rho}{2}{{z - \delta + {\frac{1}{\rho}u}}}_{2}^{2}} - {\frac{1}{2\rho}{{u}_{2}^{2}.}}}} & (8)\end{matrix}$

Similar to the standard ADMM algorithm, the inventive ‘ZO-ADMM’ splitsoptimization variables into two blocks and adopts the followingiterative scheme of equations (9)-(11):

$\begin{matrix}{{z^{k + 1} = {\underset{z}{\arg \; \min}{\mathcal{L}\left( {z,\delta^{k},u^{k}} \right)}}},} & (9) \\{{\delta^{k + 1} = {\underset{\delta}{\arg \; \min}{\mathcal{L}\left( {z^{k + 1},\delta,u^{k}} \right)}}},} & (10) \\{{u^{k + 1} = {u^{k} + {\rho \left( {z^{k + 1} - \delta^{k + 1}} \right)}}},} & (11)\end{matrix}$

where k denotes the iteration index. In equation (9), the inventionminimizes L(z, δ, u) over z given parameters δ^(k) and u^(k). Inequation (10), the invention minimizes L(z, δ, u) over δ given z^(k+1)from the previous step and u^(k). Then, the Lagrangian multiplier u isupdated in equation (11). The major advantage of this ADMM-typealgorithm is that it allows the invention to split the original complexproblem into sub-problems, each of which can be solved more efficientlyor even analytically. In what follows, equations (9) and (10) aresolved, respectively.

For z-step, equation (9) can be rewritten as:

$\begin{matrix}{{{\underset{z}{minimize}\mspace{14mu} {D(z)}} + {\frac{\rho}{2\gamma}{{z - a}}_{2}^{2}}}{{{{subject}\mspace{14mu} {to}\mspace{14mu} \left( {x_{0} + z} \right)} \in \left\lbrack {0,1} \right\rbrack^{d}},{{z}_{\infty} \leq \epsilon},}} & (12) \\{{{{where}\mspace{14mu} a} = {\delta^{k} - {\left( {1\text{/}\rho} \right){u^{k}.\mspace{14mu} \text{Equation~~(12)~~can~~be}}}}}\text{decomposed~~elementwise~~as~~below,}} & \; \\{{{\underset{z_{i}}{minimize}\mspace{14mu} \left( {z_{i} - {\frac{\rho}{{2\gamma} + \rho}a_{i}}} \right)^{2}}{{subject}\mspace{14mu} {to}\mspace{14mu} \left( {\left\lbrack x_{0} \right\rbrack_{i} + z_{i}} \right)} \in \left\lbrack {0,1} \right\rbrack},{{z_{i}} \leq \epsilon},} & (13) \\{{{where}\mspace{11mu}\lbrack x\rbrack}_{i}\mspace{14mu} \left( {{or}\mspace{14mu} x_{i}} \right)\mspace{14mu} {denotes}\mspace{14mu} {the}\mspace{14mu} i\text{-}{th}\mspace{14mu} {element}\mspace{14mu} {of}\mspace{14mu} {x.\text{The~~solution~~to~~equation~~(13)~~is~~then~~given~~by}}} & \; \\{\left\lbrack z^{k + 1} \right\rbrack_{i} = \left\{ \begin{matrix}{\min \left\{ {{1 - \left\lbrack x_{0} \right\rbrack_{i}},\epsilon} \right\}} & {{\frac{\rho}{{2\gamma} + \rho}a_{i}} > {\min \left\{ {{1 - \left\lbrack x_{0} \right\rbrack_{i}},\epsilon} \right\}}} \\{\max \left\{ {{- \left\lbrack x_{0} \right\rbrack_{i}},{- \epsilon}} \right\}} & {{\frac{\rho}{{2\gamma} + \rho}a_{i}} < {\max \left\{ {{- \left\lbrack x_{0} \right\rbrack_{i}},{- \epsilon}} \right\}}} \\{\frac{\rho}{{2\gamma} + \rho}a_{i}} & {\text{otherwise}.}\end{matrix} \right.} & (14)\end{matrix}$

To generalize to various Lp norms, in equation (12), the invention setsD(z)=∥z∥₂ ² where the L₂ norm is used to measure the similarity betweenthe legitimate image and the adversarial example. If D(z) takes otherL_(p) norms such as ∥z∥₀, ∥z∥₁ or even L_(p) norm combinations like

${{z}_{1} + {\frac{\beta}{2}{z}_{2}^{2}}},$

the invention is still able to obtain the solutions with minormodifications in the z-step. This ability is highly non-trivial forother black-box attacks, which are often heavily customized to minimizea specific L_(p) norm for distortion measure.

In the experiments discussed later, although the proposed ‘ZO-ADMMapproach’ can minimize different L_(p) norms for the distortion, theinvention mainly considers the case of D(z)=∥z∥₂ ² for a fair comparisonwith other white-box and black-box algorithms. But, it is highlightedthat the ‘ZO-ADMM method’ is able to optimize various L_(p) norms, notonly the L₂ norm.

For the δ-step, equation (10) can be written as:

$\begin{matrix}{{{\underset{\delta}{minimize}\mspace{14mu} {f\left( {{x_{0} + \delta},t} \right)}} + {\frac{\rho}{2}{{\delta - b}}_{2}^{2}}},} & (15)\end{matrix}$

where b=z^(k+1)+(1/ρ)u^(k). In the white-box setting, since thegradients of ƒ(x₀+δ, t) are directly accessible, gradient descent methodlike stochastic gradient descent (SGD) can be applied straight-forwardlyto solve equation (15). However, in black-box settings, the gradients ofƒ(x₀+δ, t) are unavailable. Thus, to overcome this difficulty, theinvention adopts the random gradient estimation method, which isdetailed below.

That is, for the random gradient estimation, in the black-box setting,the gradient of ƒ(x₀+δ, t) is estimated using a random gradientestimator of equation (16):

$\begin{matrix}{{{\hat{\nabla}{f(\delta)}} = {\left( {d\text{/}({vQ})} \right){\sum\limits_{j = 1}^{Q}\; {\left\lbrack {{f\left( {\delta + {vu}_{j}} \right)} - {f(\delta)}} \right\rbrack u_{j}}}}},} & (16)\end{matrix}$

where d is the number of optimization variables, v>0 is a smoothingparameter, {u_(j)} denotes independent and identically distributed(i.i.d.) random direction vectors drawn from a uniform distribution overa unit sphere, and Q is the number of random direction vectors. A largeQ reduces the gradient estimation error and improves the convergence of‘ZO-ADMM’. However, it is found that a moderate size of Q is sufficientto provide a good trade-off between estimation error and querycomplexity. The invention sets Q=20 in the experiments. It is alsohighlighted that the random gradient estimation in equation (16) onlyrequires O(Q) query complexity instead of O(dQ) caused bycoordinate-wise gradient estimation.

With the random gradient estimation, the solution to equation (15) canbe obtained via stochastic gradient descent methods like SGD. However,it usually takes thousands of steps in the gradient descent process andat each step, multiple queries are required for accurate gradientestimation. The huge amount of queries will make the black-box attackcomputationally intensive.

To sidestep this computational bottleneck, it is noted that ‘ZO-ADMM’enjoys dual advantages of gradient-free operation and linearization ofthe loss function. By linearization, the loss function ƒ(x₀+δ, t) inequation (15) is replaced with its first-order Taylor expansion plus aregularization term (known as Bregman divergence) (i.e., ∇{hacek over(ƒ)}(δ^(k)+x₀,t))^(T)(δ−δ^(k))+½ ∥δ{hacek over (−)}δ^(k)∥_(G) ²,) whereG is a pre-defined positive definite matrix, and ∥x∥_(G) ²=x^(T)Gx.

Ĝ=η_(k)I where 1/η_(k)>0 is chosen as a decaying parameter (i.e.,η_(k)=α√{square root over (k)} for a given constant is α>0). The Bregmandivergence term is used to stabilize the convergence of δ. Combininglinearization and ZO gradient estimation, equation (15) takes thefollowing form of equation (17)

$\begin{matrix}{{{\underset{\delta}{minimize}\mspace{14mu} \left( {\hat{\nabla}{f\left( {{\delta^{k} + x_{0}},t} \right)}} \right)^{T}\left( {\delta - \delta^{k}} \right)} + {\frac{n_{k}}{2}{{\delta - \delta^{k}}}_{2}^{2}} + {\frac{\rho}{2}{{\delta - b}}_{2}^{2}}},} & (17)\end{matrix}$

And, equation (17) yields a quadratic programming problem with thefollowing closed-form solution of equation (18):

δ^(k+1)=(1/(η_(k)+ρ))(η_(k)δ^(k) +ρb−{circumflex over (∇)}ƒ(δ^(k) +x ₀,t)).  (18)

It is noted that equation (18) can be calculated with only one step ofgradient estimation, which is a significant improvement on the queryefficiency compared with solving equation (15) using gradient descentmethod with thousands of random estimations.

For the score-based black-box attack, equation (1) with loss function ofequation (2) can be naturally solved through the general ‘ZO-ADMM-basedframework’. In the decision-based black-box attack, the form of the lossfunction of equation (4) is non-smooth with discrete outputs. Toovercome the discontinuity in equation (4), a smoothing version ofequation (4), denoted by ƒ_(μ) with smoothing parameter μ>0 is takeninto consideration as in equation (19):

ƒ_(μ)(x ₀ +δ,t)=

_(u∈U) _(b) [ƒ(x ₀ +δ+μu,t)],  (19)

where U_(b) is a uniform distribution within the unit Euclidean ball, oru can follow a standard Gaussian distribution. The rational behind thesmoothing technique in equation (19) is that the convolution of twofunctions (i.e., ƒ_(u) ƒ(x₀+δ+μu, t)p(u)du, is at least as smooth as thesmoothest of the two original functions. Therefore, when p is thedensity of a random variable with respect to Lebesgue measure, the lossfunction in equation (19) is then smooth. In practice, an empiricalMonte Carlo approximation of (19) is considered as shown in equation(20):

$\begin{matrix}{{{f_{\mu}\left( {{x_{0} + \delta},t} \right)} \approx {\frac{1}{N}{\sum\limits_{i = 1}^{N}\; {f\left( {{x_{0} + \delta + {\mu \; u_{i}}},t} \right)}}}},} & (20)\end{matrix}$

where {u_(i)} are N i.i.d. samples drawn from U_(b). With the smoothedloss function as in equation (20), equation (1) can be solved by theinventive general ‘ZO-ADMM-based framework’. To initialize the‘ZO-ADMM’, the invention initializes the perturbation δ so that theinitial perturbed image belong to the target class, yielding a benefitof reducing query complexity com-pared to the initialization with anarbitrary image.

Performance Evaluation and Experimental Results

In this section, the experimental results of the score-based anddecision-based black-box attacks are demonstrated. The experimentscompare the invention ‘ZO-ADMM-based framework’ with a transfer attacktechnique and the ZOO attack technique on three image classificationdatasets, MNIST, CIFAR-10, and ImageNet. The results of state-of-the-artwhite-box attack (i.e., C&W attack) are also provided for reference.

The experiments are run by training two networks for MNIST and CIFAR-10datasets, respectively, which can achieve 99.5% accuracy on MNIST and80% accuracy on CIFAR-10. The model architecture has four convolutionallayers, two max pooling layers, two fully connected layers and a softmaxlayer. For ImageNet, the experiments utilize a pro-trained Inception v3network instead of training our a new model, which can achieve 96% top-5accuracy. All experiments are conducted on machines with NVIDIA GTX 1080TI GPUs.

In the evaluation on MNIST and CIFAR-10, 100 correctly classified imagesare selected from MNIST and CIFAR-10 test datasets, respectively. Foreach image, the target labels are set to the other 9 classes and a totalof 900 attacks are performed for each attack method.

The implementations of C&W (white-box) attack and ZOO (black-box) attackare based on the GitHub code released by the authors. For the ZOOattack, the experiments use ZOO-ADAM with default Adam parameters andset λ_(ini)=10. For the transfer attack, the C&W attack is applied tothe surrogate model with κ=20 to improve the attack transferability and2,000 iterations in each binary search step. In the inventive‘ZO-ADMM-based attack’, the sampling number in random gradientestimation as defined in equation (16), Q, is set to 20 and the samplingnumber for the decision-based smoothed loss function of (20), N, is setto 10. Further, the experiments set ρ=1 and γ=1 for MNIST, ρ=10000 andγ=10 for CIFAR-10, and ρ=1000 and γ=1 for ImageNet. ε is set to 1 forthree datasets. v is set to 1 for MNIST, 0.1 for CIFAR-10, and 0.01 forImageNet. The experiments set μ=0.1 for three datasets.

The experimental results are shown in FIG. 3. Besides the attack successrate (ASR) and the L_(p) norms, the experiments report the query numberon initial success due to the observation that the ‘ZO-ADMM’ score-basedattack converges fast after the first successful attack is achieved. Theexperiments also show that the transfer attack suffers from low attacksuccess rate (ASR) and large L₂ distortion. Both the ‘ZOO attack’ andthe inventive ‘ZO-ADMM attack’ can achieve high attack success rate andcompetitive L₂ distortion close to the C&W white-box attack. Comparedwith the ‘ZOO attack’ (i.e., 12161), the ‘ZO-ADMM score-based attack’(i.e., 493.6) requires far fewer queries to obtain the first successfuladversarial example. The query count on the first successful attack in‘ZO-ADMM attack’ is reduced by 95.9% and 97.5% on MNIST and CIFAR-10,respectively. The reduction of query number on first successful attackis achieved by a linearization technique in ‘ZO-ADMM’, which onlyrequires one step of gradient estimation to solve the approximationproblem instead of thousands of steps to solve the original problem.

The experiments also show that the ‘ZO-ADMM decision-based attack’achieves an L₂ distortion slightly larger than the score-based attackwith more queries. This is reasonable since only the hard label outputsare available in the decision-based attack, which is more challengingthan the score-based setting. But, it is noted that the ‘ZO-ADMMdecision-based attack’ requires fewer queries to achieve the same L₂distortion of initial success with the ‘ZOO attack’. Although the L₂ isa bit larger, the experiments show that the perturbations are stillvisually indistinguishable as demonstrated in FIGS. 4-5. FIGS. 4-5further show the evolution of several adversarial examples in thedecision-based attack versus the query number. The decision-based attackstarts from an image in the target class. Then it tries to decrease theL₂ norm while keeping the classified label unchanged. After about 20,000queries, the adversarial example is close to the original image with asmall L₂ distance.

For evaluation on ImageNet, the experiments include performing targetedand untargeted attacks in the score-based and decision-based settings onImageNet. 50 correctly classified images are randomly selected. For eachimage in targeted attack, 9 random labels out of 1000 classes areselected to serve as the targets. The experiments do not perform thetransfer attack since it does not scale well to ImageNet due to trainingof the surrogate model. Instead, the experiments provide the results ofnew baselines on ImageNet, the query-limited and label-only attacks. Thequery-limited attack is a score-based attack. The label-only attack is adecision-based attack. The experiments follow the default parametersetting for the query limited and label only attacks. The inventionprovides for finding minimal changes to an input such that an outputwould not be classified the same as the input.

The experimental results are summarized in FIG. 6. For the score-basedattacks, it is observed that the ‘ZOO attack’ is not able to keep highattack success rate (within a large but fixed query budget). The‘query-limited attack’ can attain a high attack success rate and achieveinitial success with fewer queries. But, as it only uses constraints onthe L_(∞) norm without minimizing L₂ norm, relatively large L₂ norm canbe observed as shown in FIG. 6. It is shown in FIG. 6 that the ‘ZO-ADMMscore-based attack’ can achieve a high success rate with fewer queriesthan the ‘ZOO attack’ or the ‘query-limited attack’. Also, the inventivetechnique reduces the query number on initial success by 96.3% and 99.2%for untargeted and targeted attacks, respectively, compared with the‘ZOO attack’. Although the final L₂ norms of black-box attacks are ingeneral larger than the white-box C&W attack, the perturbations arestill visually imperceptible. For decision-based attacks, the‘ZO-ADMM-based attack’ can obtain a high success rate with fewer queriescompared with the label-only attack or even the ‘ZOO attack’. FIG. 9shows the adversarial examples generated by the ‘ZO-ADMM decision-basedattack’. The classification of the image ‘brain coral’ is changed to 4different target classes after adding imperceptible perturbations.

For convergence of the ‘ZO-ADMM attack’, the convergence of the‘ZO-ADMM-based attack’ on three datasets is shown in FIGS. 7-8. Theaverage L₂ distortion of 9 targeted adversarial examples versus thequery number is presented in FIG. 7. In the score-based attack, theinitial L₂ distortion is zero since the ‘ZO-ADMM-based attack’ startsfrom a zero perturbation. The experiments show that before a successfuladversarial example is found, the L₂ distortion keeps increasing. Afterthe ‘ZO-ADMM-based attack’ achieves its first success, the algorithmthen tries to decrease the L₂ distortion while maintaining its targetlabel. The experiments highlight that the ‘ZO-ADMM attack’ is able toachieve its initial success with hundreds of queries on MNIST orCIFAR-10 and tens of thousands of queries on ImageNet, which is a greatimprovement over the ‘ZOO attack’. For the decision-based attack, the L₂distortion is relatively large at first as the ‘ZO-ADMM-based attack’starts from an image in the target class instead of the original image.As observed from FIG. 7, the L₂ distortion of the adversarial examplesdecreases as the query number increases. FIG. 8 demonstrates the L₂distortion of adversarial examples versus the ‘ZO-ADMM’ iterationnumber. It is noted that in each ‘ZO-ADMM’ iteration, the decision-basedattack usually needs more queries than the score-based attack due to thesmoothed loss function.

The experiments also show that although the initial L₂ distortion islarge due to the initial image in the target class, it can converge to avalue close to the L₂ distortion of the score-based attack.

Also, the experimental results for different L_(p) norms aredemonstrated when solving equation (12). The experiments are run basedon a developed three score-based black-box attacks with ‘ZO-ADMM’,minimizing the L₀, L₁ and L₂ norm of the perturbation, respectively. Asshown in FIG. 10, the ‘ZO-ADMM’ technique provides a general frameworkto minimize different L_(p) norms by simply setting D(z) to thecorresponding L_(p) norm.

Exemplary Aspects, Using a Cloud Computing Environment

Although this detailed description includes an exemplary embodiment ofthe present invention in a cloud computing environment, it is to beunderstood that implementation of the teachings recited herein are notlimited to such a cloud computing environment. Rather, embodiments ofthe present invention are capable of being implemented in conjunctionwith any other type of computing environment now known or laterdeveloped.

Cloud computing is a model of service delivery for enabling convenient,on-demand network access to a shared pool of configurable computingresources (e.g. networks, network bandwidth, servers, processing,memory, storage, applications, virtual machines, and services) that canbe rapidly provisioned and released with minimal management effort orinteraction with a provider of the service. This cloud model may includeat least five characteristics, at least three service models, and atleast four deployment models.

Characteristics are as follows:

On-demand self-service: a cloud consumer can unilaterally provisioncomputing capabilities, such as server time and network storage, asneeded automatically without requiring human interaction with theservice's provider.

Broad network access: capabilities are available over a network andaccessed through standard mechanisms that promote use by heterogeneousthin or thick client platforms (e.g., mobile phones, laptops, and PDAs).

Resource pooling: the provider's computing resources are pooled to servemultiple consumers using a multi-tenant model, with different physicaland virtual resources dynamically assigned and reassigned according todemand. There is a sense of location independence in that the consumergenerally has no control or knowledge over the exact location of theprovided resources but may be able to specify location at a higher levelof abstraction (e.g., country, state, or datacenter).

Rapid elasticity: capabilities can be rapidly and elasticallyprovisioned, in some cases automatically, to quickly scale out andrapidly released to quickly scale in. To the consumer, the capabilitiesavailable for provisioning often appear to be unlimited and can bepurchased in any quantity at any time.

Measured service: cloud systems automatically control and optimizeresource use by leveraging a metering capability at some level ofabstraction appropriate to the type of service (e.g., storage,processing, bandwidth, and active user accounts). Resource usage can bemonitored, controlled, and reported providing transparency for both theprovider and consumer of the utilized service.

Service Models are as follows:

Software as a Service (SaaS): the capability provided to the consumer isto use the provider's applications running on a cloud infrastructure.The applications are accessible from various client circuits through athin client interface such as a web browser (e.g., web-based e-mail).The consumer does not manage or control the underlying cloudinfrastructure including network, servers, operating systems, storage,or even individual application capabilities, with the possible exceptionof limited user-specific application configuration settings.

Platform as a Service (PaaS): the capability provided to the consumer isto deploy onto the cloud infrastructure consumer-created or acquiredapplications created using programming languages and tools supported bythe provider. The consumer does not manage or control the underlyingcloud infrastructure including networks, servers, operating systems, orstorage, but has control over the deployed applications and possiblyapplication hosting environment configurations.

Infrastructure as a Service (IaaS): the capability provided to theconsumer is to provision processing, storage, networks, and otherfundamental computing resources where the consumer is able to deploy andrun arbitrary software, which can include operating systems andapplications. The consumer does not manage or control the underlyingcloud infrastructure but has control over operating systems, storage,deployed applications, and possibly limited control of select networkingcomponents (e.g., host firewalls).

Deployment Models are as follows:

Private cloud: the cloud infrastructure is operated solely for anorganization. It may be managed by the organization or a third party andmay exist on-premises or off-premises.

Community cloud: the cloud infrastructure is shared by severalorganizations and supports a specific community that has shared concerns(e.g., mission, security requirements, policy, and complianceconsiderations). It may be managed by the organizations or a third partyand may exist on-premises or off-premises.

Public cloud: the cloud infrastructure is made available to the generalpublic or a large industry group and is owned by an organization sellingcloud services.

Hybrid cloud: the cloud infrastructure is a composition of two or moreclouds (private, community, or public) that remain unique entities butare bound together by standardized or proprietary technology thatenables data and application portability (e.g., cloud bursting forload-balancing between clouds).

A cloud computing environment is service oriented with a focus onstatelessness, low coupling, modularity, and semantic interoperability.At the heart of cloud computing is an infrastructure comprising anetwork of interconnected nodes.

Referring now to FIG. 11, a schematic of an example of a cloud computingnode is shown. Cloud computing node 10 is only one example of a suitablenode and is not intended to suggest any limitation as to the scope ofuse or functionality of embodiments of the invention described herein.Regardless, cloud computing node 10 is capable of being implementedand/or performing any of the functionality set forth herein.

Although cloud computing node 10 is depicted as a computer system/server12, it is understood to be operational with numerous other generalpurpose or special purpose computing system environments orconfigurations. Examples of well-known computing systems, environments,and/or configurations that may be suitable for use with computersystem/server 12 include, but are not limited to, personal computersystems, server computer systems, thin clients, thick clients, hand-heldor laptop circuits, multiprocessor systems, microprocessor-basedsystems, set top boxes, programmable consumer electronics, network PCs,minicomputer systems, mainframe computer systems, and distributed cloudcomputing environments that include any of the above systems orcircuits, and the like.

Computer system/server 12 may be described in the general context ofcomputer system-executable instructions, such as program modules, beingexecuted by a computer system. Generally, program modules may includeroutines, programs, objects, components, logic, data structures, and soon that perform particular tasks or implement particular abstract datatypes. Computer system/server 12 may be practiced in distributed cloudcomputing environments where tasks are performed by remote processingcircuits that are linked through a communications network. In adistributed cloud computing environment, program modules may be locatedin both local and remote computer system storage media including memorystorage circuits.

Referring now to FIG. 11, a computer system/server 12 is shown in theform of a general-purpose computing circuit. The components of computersystem/server 12 may include, but are not limited to, one or moreprocessors or processing units 16, a system memory 28, and a bus 18 thatcouples various system components including system memory 28 toprocessor 16.

Bus 18 represents one or more of any of several types of bus structures,including a memory bus or memory controller, a peripheral bus, anaccelerated graphics port, and a processor or local bus using any of avariety of bus architectures. By way of example, and not limitation,such architectures include Industry Standard Architecture (ISA) bus,Micro Channel Architecture (MCA) bus, Enhanced ISA (EISA) bus, VideoElectronics Standards Association (VESA) local bus, and PeripheralComponent Interconnects (PCI) bus.

Computer system/server 12 typically includes a variety of computersystem readable media. Such media may be any available media that isaccessible by computer system/server 12, and it includes both volatileand non-volatile media, removable and non-removable media.

System memory 28 can include computer system readable media in the formof volatile memory, such as random access memory (RAM) 30 and/or cachememory 32. Computer system/server 12 may further include otherremovable/non-removable, volatile/non-volatile computer system storagemedia. By way of example only, storage system 34 can be provided forreading from and writing to a non-removable, non-volatile magnetic media(not shown and typically called a “hard drive”). Although not shown, amagnetic disk drive for reading from and writing to a removable,non-volatile magnetic disk (e.g., a “floppy disk”), and an optical diskdrive for reading from or writing to a removable, non-volatile opticaldisk such as a CD-ROM, DVD-ROM or other optical media can be provided.In such instances, each can be connected to bus 18 by one or more datamedia interfaces. As will be further described below, memory 28 mayinclude a computer program product storing one or program modules 42comprising computer readable instructions configured to carry out one ormore features of the present invention.

Program/utility 40, having a set (at least one) of program modules 42,may be stored in memory 28 by way of example, and not limitation, aswell as an operating system, one or more application programs, otherprogram modules, and program data. Each of the operating system, one ormore application programs, other program modules, and program data orsome combination thereof, may be adapted for implementation in anetworking environment. In some embodiments, program modules 42 areadapted to generally carry out one or more functions and/ormethodologies of the present invention.

Computer system/server 12 may also communicate with one or more externaldevices 14 such as a keyboard, a pointing circuit, other peripherals,such as display 24, etc., and one or more components that facilitateinteraction with computer system/server 12. Such communication can occurvia Input/Output (I/O) interface 22, and/or any circuits (e.g., networkcard, modem, etc.) that enable computer system/server 12 to communicatewith one or more other computing circuits. For example, computersystem/server 12 can communicate with one or more networks such as alocal area network (LAN), a general wide area network (WAN), and/or apublic network (e.g., the Internet) via network adapter 20. As depicted,network adapter 20 communicates with the other components of computersystem/server 12 via bus 18. It should be understood that although notshown, other hardware and/or software components could be used inconjunction with computer system/server 12. Examples, include, but arenot limited to: microcode, circuit drivers, redundant processing units,external disk drive arrays, RAID systems, tape drives, and data archivalstorage systems, etc.

Referring now to FIG. 12, illustrative cloud computing environment 50 isdepicted. As shown, cloud computing environment 50 comprises one or morecloud computing nodes 10 with which local computing circuits used bycloud consumers, such as, for example, personal digital assistant (PDA)or cellular telephone 54A, desktop computer 54B, laptop computer 54C,and/or automobile computer system 54N may communicate. Nodes 10 maycommunicate with one another. They may be grouped (not shown) physicallyor virtually, in one or more networks, such as Private, Community,Public, or Hybrid clouds as described hereinabove, or a combinationthereof. This allows cloud computing environment 50 to offerinfrastructure, platforms and/or software as services for which a cloudconsumer does not need to maintain resources on a local computingcircuit. It is understood that the types of computing circuits 54A-Nshown in FIG. 12 are intended to be illustrative only and that computingnodes 10 and cloud computing environment 50 can communicate with anytype of computerized circuit over any type of network and/or networkaddressable connection (e.g., using a web browser).

Referring now to FIG. 13, an exemplary set of functional abstractionlayers provided by cloud computing environment 50 (FIG. 12) is shown. Itshould be understood in advance that the components, layers, andfunctions shown in FIG. 13 are intended to be illustrative only andembodiments of the invention are not limited thereto. As depicted, thefollowing layers and corresponding functions are provided:

Hardware and software layer 60 includes hardware and softwarecomponents. Examples of hardware components include: mainframes 61; RISC(Reduced Instruction Set Computer) architecture based servers 62;servers 63; blade servers 64; storage circuits 65; and networks andnetworking components 66. In some embodiments, software componentsinclude network application server software 67 and database software 68.

Virtualization layer 70 provides an abstraction layer from which thefollowing examples of virtual entities may be provided: virtual servers71; virtual storage 72; virtual networks 73, including virtual privatenetworks; virtual applications and operating systems 74; and virtualclients 75.

In one example, management layer 80 may provide the functions describedbelow. Resource provisioning 81 provides dynamic procurement ofcomputing resources and other resources that are utilized to performtasks within the cloud computing environment. Metering and Pricing 82provide cost tracking as resources are utilized within the cloudcomputing environment, and billing or invoicing for consumption of theseresources. In one example, these resources may comprise applicationsoftware licenses. Security provides identity verification for cloudconsumers and tasks, as well as protection for data and other resources.User portal 83 provides access to the cloud computing environment forconsumers and system administrators. Service level management 84provides cloud computing resource allocation and management such thatrequired service levels are met. Service Level Agreement (SLA) planningand fulfillment 85 provide pre-arrangement for, and procurement of,cloud computing resources for which a future requirement is anticipatedin accordance with an SLA.

Workloads layer 90 provides examples of functionality for which thecloud computing environment may be utilized. Examples of workloads andfunctions which may be provided from this layer include: mapping andnavigation 91; software development and lifecycle management 92; virtualclassroom education delivery 93; data analytics processing 94;transaction processing 95; and adversarial robustness testing method 100in accordance with the present invention.

The present invention may be a system, a method, and/or a computerprogram product at any possible technical detail level of integration.The computer program product may include a computer readable storagemedium (or media) having computer readable program instructions thereonfor causing a processor to carry out aspects of the present invention.

The computer readable storage medium can be a tangible device that canretain and store instructions for use by an instruction executiondevice. The computer readable storage medium may be, for example, but isnot limited to, an electronic storage device, a magnetic storage device,an optical storage device, an electromagnetic storage device, asemiconductor storage device, or any suitable combination of theforegoing. A non-exhaustive list of more specific examples of thecomputer readable storage medium includes the following: a portablecomputer diskette, a hard disk, a random access memory (RAM), aread-only memory (ROM), an erasable programmable read-only memory (EPROMor Flash memory), a static random access memory (SRAM), a portablecompact disc read-only memory (CD-ROM), a digital versatile disk (DVD),a memory stick, a floppy disk, a mechanically encoded device such aspunch-cards or raised structures in a groove having instructionsrecorded thereon, and any suitable combination of the foregoing. Acomputer readable storage medium, as used herein, is not to be construedas being transitory signals per se, such as radio waves or other freelypropagating electromagnetic waves, electromagnetic waves propagatingthrough a waveguide or other transmission media (e.g., light pulsespassing through a fiber-optic cable), or electrical signals transmittedthrough a wire.

Computer readable program instructions described herein can bedownloaded to respective computing/processing devices from a computerreadable storage medium or to an external computer or external storagedevice via a network, for example, the Internet, a local area network, awide area network and/or a wireless network. The network may comprisecopper transmission cables, optical transmission fibers, wirelesstransmission, routers, firewalls, switches, gateway computers and/oredge servers. A network adapter card or network interface in eachcomputing/processing device receives computer readable programinstructions from the network and forwards the computer readable programinstructions for storage in a computer readable storage medium withinthe respective computing/processing device.

Computer readable program instructions for carrying out operations ofthe present invention may be assembler instructions,instruction-set-architecture (ISA) instructions, machine instructions,machine dependent instructions, microcode, firmware instructions,state-setting data, configuration data for integrated circuitry, oreither source code or object code written in any combination of one ormore programming languages, including an object oriented programminglanguage such as Smalltalk, C++, or the like, and procedural programminglanguages, such as the “C” programming language or similar programminglanguages. The computer readable program instructions may executeentirely on the user's computer, partly on the user's computer, as astand-alone software package, partly on the user's computer and partlyon a remote computer or entirely on the remote computer or server. Inthe latter scenario, the remote computer may be connected to the user'scomputer through any type of network, including a local area network(LAN) or a wide area network (WAN), or the connection may be made to anexternal computer (for example, through the Internet using an InternetService Provider). In some embodiments, electronic circuitry including,for example, programmable logic circuitry, field-programmable gatearrays (FPGA), or programmable logic arrays (PLA) may execute thecomputer readable program instructions by utilizing state information ofthe computer readable program instructions to personalize the electroniccircuitry, in order to perform aspects of the present invention.

Aspects of the present invention are described herein with reference toflowchart illustrations and/or block diagrams of methods, apparatus(systems), and computer program products according to embodiments of theinvention. It will be understood that each block of the flowchartillustrations and/or block diagrams, and combinations of blocks in theflowchart illustrations and/or block diagrams, can be implemented bycomputer readable program instructions.

These computer readable program instructions may be provided to aprocessor of a general purpose computer, special purpose computer, orother programmable data processing apparatus to produce a machine, suchthat the instructions, which execute via the processor of the computeror other programmable data processing apparatus, create means forimplementing the functions/acts specified in the flowchart and/or blockdiagram block or blocks. These computer readable program instructionsmay also be stored in a computer readable storage medium that can directa computer, a programmable data processing apparatus, and/or otherdevices to function in a particular manner, such that the computerreadable storage medium having instructions stored therein comprises anarticle of manufacture including instructions which implement aspects ofthe function/act specified in the flowchart and/or block diagram blockor blocks.

The computer readable program instructions may also be loaded onto acomputer, other programmable data processing apparatus, or other deviceto cause a series of operational steps to be performed on the computer,other programmable apparatus or other device to produce a computerimplemented process, such that the instructions which execute on thecomputer, other programmable apparatus, or other device implement thefunctions/acts specified in the flowchart and/or block diagram block orblocks.

The flowchart and block diagrams in the Figures illustrate thearchitecture, functionality, and operation of possible implementationsof systems, methods, and computer program products according to variousembodiments of the present invention. In this regard, each block in theflowchart or block diagrams may represent a module, segment, or portionof instructions, which comprises one or more executable instructions forimplementing the specified logical function(s). In some alternativeimplementations, the functions noted in the blocks may occur out of theorder noted in the Figures. For example, two blocks shown in successionmay, in fact, be executed substantially concurrently, or the blocks maysometimes be executed in the reverse order, depending upon thefunctionality involved. It will also be noted that each block of theblock diagrams and/or flowchart illustration, and combinations of blocksin the block diagrams and/or flowchart illustration, can be implementedby special purpose hardware-based systems that perform the specifiedfunctions or acts or carry out combinations of special purpose hardwareand computer instructions.

The descriptions of the various embodiments of the present inventionhave been presented for purposes of illustration, but are not intendedto be exhaustive or limited to the embodiments disclosed. Manymodifications and variations will be apparent to those of ordinary skillin the art without departing from the scope and spirit of the describedembodiments. The terminology used herein was chosen to best explain theprinciples of the embodiments, the practical application or technicalimprovement over technologies found in the marketplace, or to enableothers of ordinary skill in the art to understand the embodimentsdisclosed herein.

Further, Applicant's intent is to encompass the equivalents of all claimelements, and no amendment to any claim of the present applicationshould be construed as a disclaimer of any interest in or right to anequivalent of any element or feature of the amended claim.

What is claimed is:
 1. A computer-implemented adversarial robustnesstesting method for checking a learning performance of a black-boxsystem, the method comprising: testing a robustness of a black-boxsystem under different access settings via an accelerator.
 2. The methodof claim 1, wherein the different access settings comprise: a soft-labelsetting; and a hard-label setting.
 3. The method of claim 1, furthercomprising, for a soft-label setting as one of the different accesssettings, using the accelerator and a gradient descent technique to findan adversarial example and summarize a robustness statistic.
 4. Themethod of claim 1, further comprising, for a hard-label setting as oneof the different access settings, using a smoothing function tosummarize a robustness statistic.
 5. The method of claim 3, furthercomprising, for a hard-label setting as one of the different accesssettings, using a smoothing function to summarize a robustnessstatistic.
 6. The method of claim 1, further comprising, given alegitimate input of a plurality of legitimate inputs having a correctclass label, determining an optimal adversarial perturbation using theaccelerator such that a perturbed example is misclassified to a targetclass including an incorrect class label by a deep neural network (DNN)model trained on the legitimate inputs.
 7. The method of claim 1,wherein the accelerator comprises a function including an efficientgradient estimation via a random directional estimate and averaging. 8.The method of claim 1, wherein the accelerator comprises a functionincluding a dimension reduction of an input.
 9. The method of claim 1,wherein the accelerator comprises a function including a problemsplitting between a black-box loss function and a white-box adversarialdistortion function.
 10. The method of claim 1, embodied in acloud-computing environment.
 11. A computer program product foradversarial robustness testing for checking a learning performance of ablack-box system, the computer program product comprising acomputer-readable storage medium having program instructions embodiedtherewith, the program instructions executable by a computer to causethe computer to perform: testing a robustness of a black-box systemunder different access settings via an accelerator.
 12. The computerprogram product of claim 11, wherein the different access settingscomprise: a soft-label setting; and a hard-label setting.
 13. Thecomputer program product of claim 11, further comprising, for asoft-label setting as one of the different access settings, using theaccelerator and a gradient descent technique to find an adversarialexample and summarize a robustness statistic.
 14. The computer programproduct of claim 11, further comprising, for a hard-label setting as oneof the different access settings, using a smoothing function tosummarize a robustness statistic.
 15. The computer program product ofclaim 13, further comprising, for a hard-label setting as one of thedifferent access settings, using a smoothing function to summarize arobustness statistic.
 16. The computer program product of claim 11,further comprising, given a legitimate input of a plurality oflegitimate inputs having a correct class label, determining an optimaladversarial perturbation using the accelerator such that a perturbedexample is misclassified to a target class including an incorrect classlabel by a deep neural network (DNN) model trained on the legitimateinputs.
 17. The computer program product of claim 11, wherein theaccelerator comprises a function including an efficient gradientestimation via a random directional estimate and averaging.
 18. Thecomputer program product of claim 11, wherein the accelerator comprisesa function including a dimension reduction of an input.
 19. The computerprogram product of claim 11, wherein the accelerator comprises afunction including a problem splitting between a black-box loss functionand a white-box adversarial distortion function.
 20. An adversarialrobustness testing system for checking a learning performance of ablack-box system, the system comprising: a processor; and a memory, thememory storing instructions to cause the processor to perform: testing arobustness of a black-box system under different access settings via anaccelerator.
 21. The system of claim 20, wherein the different accesssettings comprise: a soft-label setting; and a hard-label setting. 22.The system of claim 20, further comprising, for a soft-label setting asone of the different access settings, using the accelerator and agradient descent technique to find an adversarial example and summarizea robustness statistic.
 23. The system of claim 20, embodied in acloud-computing environment.
 24. A computer-implemented adversarialrobustness testing method for checking a learning performance of ablack-box system, the method comprising: receiving a firstclassification of an input as an output from the black-box system; anddetermining a minimal change to the input such that a secondclassification is received as the output from the black-box system. 25.A computer-implemented adversarial robustness testing method forchecking a learning performance of a black-box system, the methodcomprising: finding a minimal change to an input such that aclassification of an output from the black-box system is different thanan original classification of the input.